11

Proxy-Arp considered harmful

  • Upload
    yvon

  • View
    55

  • Download
    0

Embed Size (px)

DESCRIPTION

Proxy-Arp considered harmful. 2011-11-03 RIPE63 – EIX Working Group Wolfgang Tremmel Director Support [email protected]. Internet. 80.81.194.C/22. 80.81.194.A/22. 80.81.195.B/22. 80.81.193.E/22. 80.81.192.0/22. 80.81.192.D/22. - PowerPoint PPT Presentation

Citation preview

Page 1: Proxy-Arp considered harmful
Page 2: Proxy-Arp considered harmful

2011-11-03RIPE63 – EIX Working Group

Wolfgang TremmelDirector [email protected]

Proxy-Arp considered harmful

Page 3: Proxy-Arp considered harmful

#3

Internet

80.81.192.0/22

80.81.194.A/22 80.81.195.B/22 80.81.194.C/22

80.81.192.D/22

80.81.193.E/22

Internet

Page 4: Proxy-Arp considered harmful

#4

Internet

80.81.192.0/22

Internet

80.81.192.0/23 80.81.192.0/23 80.81.192.0/23

80.81.194.A/22 80.81.195.B/22 80.81.194.C/22

80.81.192.D/22

80.81.193.E/22

Page 5: Proxy-Arp considered harmful

#5

Internet

80.81.192.0/22

Internet

Accepted:80.81.192.0/23

80.81.192.0/23

Accepted:80.81.192.0/23

blocked

80.81.194.A/22 80.81.195.B/22 80.81.194.C/22

80.81.192.D/22

80.81.193.E/22

Page 6: Proxy-Arp considered harmful

#6

Internet

80.81.192.0/22

Internet

Accepted:80.81.192.0/23

80.81.192.0/23

Accepted:80.81.192.0/23

blocked

ARP-Request: Who has 80.81.193.1?

80.81.194.A/22 80.81.195.B/22 80.81.194.C/22

80.81.192.D/22

80.81.193.E/22

Page 7: Proxy-Arp considered harmful

#7

Internet

80.81.192.0/22

Internet

Accepted:80.81.192.0/23

80.81.192.0/23

Accepted:80.81.192.0/23

blocked

ARP-Request: Who has 80.81.193.1?

No proxy-arp

80.81.194.A/22 80.81.195.B/22 80.81.194.C/22

80.81.192.D/22

80.81.193.E/22

Page 8: Proxy-Arp considered harmful

#8

Internet

80.81.192.0/22

Internet

Accepted:80.81.192.0/23

80.81.192.0/23

Accepted:80.81.192.0/23

blocked

ARP-Request: Who has 80.81.193.1?

No proxy-arp Send Traffic for 80.81.193.1 to me!

80.81.194.A/22 80.81.195.B/22 80.81.194.C/22

80.81.192.D/22

80.81.193.E/22

Page 9: Proxy-Arp considered harmful

• RFC 1027: „ Using ARP to Implement Transparent Subnet Gateways”

– 1987: A network with 100 hosts was considered large– Repeaters were common– Subnetting was „the new thing“– Proxy-Arp was a solution for connecting networks in which

hosts were not aware of subnetting• Proxy-Arp „on“ as default in Cisco IOS since version 9 at

least

• Do we still need this?

Proxy-ARP: a history

#9

Page 10: Proxy-Arp considered harmful

• Before the incidend we only tested proxy-arp when new customers connected

• Configuration changes went unnoticed• Now:

– We test all connected customers for proxy-arp every 10 minutes

– In case we find one:• 24/7 support gets a message• Customer is notified• Customer port gets shut down• As soon customer confirmes he has turned off proxy-arp

he gets re-enabled

DE-CIX: Lessons learned

#10

Page 11: Proxy-Arp considered harmful

Thank you

Join DE-CIX now!

DE-CIX Competence CenterLindleystrasse 1260314 Frankfurt/Germany

Phone +49 69 1730 902 - [email protected]

22. April 2023 – DE-CIX Management GmbH #11

DE-CIX Competence Center @ Kontorhaus Building

Frankfurt Osthafen (Docklands)